• Shadow AI is a business design problem, but it can be overcome

    From TechnologyDaily@1337:1/100 to All on Tuesday, July 07, 2026 11:30:24
    Shadow AI is a business design problem, but it can be overcome

    Date:
    Tue, 07 Jul 2026 10:18:57 +0000

    Description:
    Shadow AI is everywhere, but banning it will only make matters worse.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter AI tools are now so widely available that shadow AI has become a risk for every organization. Employees are reaching for them to summarize documents , draft emails, and analyze data - while vendors are increasingly baking AI into their products, often with poor documentation and limited options to switch it off.

    The result is that staff may already be using tools that haven't been
    assessed or approved, potentially exposing the business to risk by unintentionally processing personal or commercially sensitive data. David Smith Social Links Navigation

    Working from the DPO Centre Ltd, David is a highly qualified Data Protection Officer with wide-ranging experience across the Technology and Healthcare industries. The key question facing organizations in 2026 is no longer
    whether to allow AI in the workplace, but how best to manage the AI that is already being used. Latest Videos From Watch full video here:

    Shadow AI isnt simply a question of employee behavior, but a sign that workplace technology is moving faster than governance. What is shadow AI? Shadow AI is the use of AI tools inside an organization without security review, or formal governance and documented sign off from Compliance, Legal
    or IT teams. You may like You fix it by making the secure option just as fast and frictionless as the risky one: Practical advice on addressing shadow AI Shadow AI a step too far, or an opportunity? Shadow AI and agents like OpenClaw are hijacking corporate data too easily

    In practice, this usually means consumer-grade generative AI such as ChatGPT, Gemini, Claude, or Copilot, accessed through a personal account. It can also include AI features quietly embedded in approved SaaS products, browser extensions, transcription services, and the growing wave of autonomous
    agents.

    It's the direct descendant of the shadow IT problem of the late 2000s, but with a shift from unauthorized storage to unsanctioned intelligence. Are you
    a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
    your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    It is harder for organizations to detect, and much harder to control, with
    the potential consequences spreading beyond one team or one data mistake. Unlike shadow IT, which was mostly a compliance concern, shadow AI creates
    new risk because it can actively process information, replicate it, and act
    on it. This makes the impact much harder to predict and contain. The risks: data protection and privacy compliance IBM's 2025 Cost of a Data Breach
    Report found that one in five organizations had already experienced a breach linked to unsanctioned AI, adding roughly $670,000 to the average incident cost.

    The more alarming finding for data protection professionals, however, isnt
    the headline cost of containment - its what those incidents exposed. 65% of those AI-related incidents resulted in exposure of personally identifiable information, and 40% led to intellectual property theft. What to read next What is Shadow AI, and why should your business be concerned about it? Many firms don't know what their workers are sharing with AI tools Tame your AI gremlins before the chaos becomes permanent

    The data protection risks are considerable, especially for GDPR-regulated organizations operating in the UK and EU. When an employee pastes customer data into a free-tier chatbot , several obligations may be simultaneously breached. Article 5 demands lawful and transparent processing, which is impossible if the organization doesn't know the processing is happening.

    Article 28 requires a data processing agreement with any third-party processor, and no such agreement exists between your business and OpenAI or other similar services when an employee uses a personal ChatGPT account. Article 35 requires a Data Protection Impact Assessment (DPIA) for high-risk processing, which can't be performed on tools the organization isnt aware of.

    Maximum penalties can, at least in theory, reach 20 million or 4% of global annual turnover. The EU AI Act The incoming EU AI Act puts further
    obligations on deployers of high-risk systems, including strict due diligence and risk assessments on AI providers. Again, it is impossible for organizations to meet these obligations if they dont know which systems are being used.

    While the EUs enforcement stance isnt yet known, the potential maximum fine here is 6% of global turnover. The risks beyond regulation Beyond formal
    legal sanction, shadow AI could cause serious reputation risk. An incident that causes fundamental harm to individuals or exposes commercial confidentiality agreements is a breach of trust, and the damage could be irrecoverable.

    Unlike files uploaded to an authorized storage service such as Dropbox, data entered into free AI tools may be much harder to retrieve or delete. The contractual terms of many free LLMs allow the provider to use prompts and outputs to train their systems, and this is one reason why these tools can be offered for free, despite their high operating costs.

    Once data has been entered into the system, it may be irrecoverable as it
    will be added to the training dataset. There is no guarantee it can be isolated well enough to be deleted, even if the service provider is willing, and can even resurface unexpectedly.

    The Samsung case of 2023 shows how quickly the risks of shadow AI can become
    a reality. Within weeks of the company permitting ChatGPT use in its semiconductor division, engineers had pasted proprietary source code,
    internal meeting transcripts, and hardware specifications into the consumer interface on at least three separate occasions.

    Samsung initially responded with a blanket ban, since reversed. The lesson here is not that every organization should ban AI - its that without clear access controls, sensitive data can very quickly become exposed. Emerging risks in 2026 The most recent threats to organisations come from the rise of vibe-coding and agentic AI. These use natural language prompts to build applications that process data, and may even make business decisions about
    how that data is used.

    The security risks are a whole topic in itself, but failing to subject vibe-coded apps to scrutiny by your infosec team can mean basic security protocols are missing because the coder didnt know to ask for them.

    Social network Moltbook was vibe coded, and quickly exposed 1.5 million API keys and the emails of 35,000 users. It is an obvious violation of the GDPR security principle, which is the type of failing most regulators are keen to enforce.

    Agents deployed without appropriate quality and review procedures can easily make incorrect or inconsistent decisions, and unchecked biases in the underlying models can discriminate against groups, including based on protected characteristics.

    If this led to a denial of healthcare, or access to financial services, or employment discrimination, there is an active risk of falling foul of
    equality and human rights legislation. How widespread is shadow AI? Numbers are high already and consistently rising, as shown in UpGuard's State of Shadow AI report, which found that more than 80% of employees use unapproved AI tools at work. Netskope, drawing on cloud security telemetry from late
    2024 through late 2025, found that 47% of generative AI usage in the enterprise happens through personal accounts the company doesn't oversee.

    Telus Digital research found that of enterprise employees using GenAI at
    work, around 68% do so with their personal rather than corporate credentials, and 57% admit to entering sensitive information into those tools. Zendesk's
    CX Trends 2025 reported that shadow AI tool usage in healthcare, manufacturing, and financial services grew by more than 200% year on year.

    There is also a striking perception gap. ManageEngine's 2025 survey of US and Canadian workplaces found that 97% of IT decision-makers see significant
    risks in shadow AI, but 91% of employees see no risk, little risk, or that
    the risk was outweighed by the reward. Why staff use shadow AI Perception gap is the key to the whole problem. Employees aren't pasting client data into ChatGPT because they want to commit a policy and compliance violation.
    They're doing it because it makes their job easier, and because no one has given them a safer way to get the same result.

    Systematic policy violations dont speak to lax standards or employee negligence - rather, they speak to an unmet need. The most common shadow AI tasks in ManageEngine's data include summarizing notes and calls, drafting emails, brainstorming, and analyzing reports.

    These are exactly the kinds of repetitive cognitive tasks that overload employees and slows delivery. When approved tools cannot do the work quickly, employees reach for alternatives that can. Free AI tools can often offer greater functionality.

    Enterprise level software needs to be at least as good as the free option, otherwise the free tool will win. Younger members of the workforce are
    digital natives and are used to adopting tools to get the job done and will often move faster than procurement processes allow.

    Software AG's research found that 48% of employees would keep using AI tools even if their organization explicitly banned them, and As Check Point Software's analysis bluntly puts it, banning AI removes the official pathway for employees to flag a tool, and instead guarantees that all new AI in the business is shadow AI. Clearly, bans are not the way to combat the issue. Governance that works The issue of Shadow AI is now too widespread for any well-governed organization to ignore, and the companies getting this right
    are treating it as a signal, not an infraction.

    You need to know what is happening in your organization so you can see where the pressure points are and alleviate the pressure employees so obviously
    feel to use unapproved tools to get the job done. This requires a wide range of stakeholders, and not just IT approving or blocking systems.

    Start by mapping what's already happening. Network monitoring and SaaS discovery tools can usually surface a surprising list of AI services in
    active use; treat that list as research, and not as a way to discipline offenders. Ask your staff, anonymously if needed via surveys and listening sessions, so they can describe what they're trying to accomplish without fear of reprisal.

    When youve identified what people need, provide a sanctioned alternative that's at least as good as the shadow option, with enterprise data
    protections behind it nearly all free tools that staff are likely to use
    have enterprise versions backed up with robust security and data protection agreements.

    Follow that with a short, readable policy, ideally permissive but with guardrails. Name approved tools by category or purpose, list prohibited data inputs (personal data, source code, financial projections, confidential
    client information).

    Finally, invest in literacy training so staff understand what data goes
    where, and refresh it as the tools change. Keep the use cases, their actual use, and the policy under continuous review and update it regularly so you
    can keep ahead of staff needs before they find their own solutions.
    Conclusion Shadow AI is a losing battle if you treat it as a discipline problem; there are too many tools, too much demand, and its too easy to access. Treated as a business design problem, however, it becomes something more powerful.

    Every employee who reaches for an unapproved tool is pointing at a gap, be it in the software they've been given, the workflows they're stuck with, or the support they haven't received.

    Good governance doesn't just close that gap for compliance reasons - it
    closes it in a way that legitimately makes people's jobs easier while delivering the AI capability the business needs through the front door rather than the back. We've featured the best business VPN. This article was
    produced as part of TechRadar Pro Perspectives , our channel to feature the best and brightest minds in the technology industry today.

    The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit



    ======================================================================
    Link to news story: https://www.techradar.com/pro/shadow-ai-is-a-business-design-problem-but-it-ca n-be-overcome


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)